Project Roller

Roller committer Glen Mazza (me!) has written a new article providing tips on how to efficiently work with the Apache Roller source code, helpful for those wishing to contribute to Apache Roller development and/or customize it for their particular needs.

The Apache Roller project has announced the availability of a new Apache Roller 5.0.3 release. This new release is identical to Apache Roller 5.0.2 but includes an updated Apache XML-RPC library that fixes a security vulnerability in Roller's XML-RPC feature.

All Roller sites are urged to upgrade to Roller 5.0.3 as soon as possible. Download Apache Roller 5.0.3 at the Roller downloads page here.

You can find a little more information about the vulnerabilities at the links below:

• The official release announcement: Apache Roller 5.0.3 available & upgrade recommended for all Roller sites
• CVE-2014-0030 Apache Roller XML-RPC susceptible to XML Entended Entity attacks

The Apache Roller project has announced the availability of a new Apache Roller 5.0.2 release. This new release is identical to Apache Roller 5.0.1 but with the addition of two security fixes: 1) fix for XSS vulnerability in Roller's search feeds 2) fix for remote code execution vulnerability.

All Roller sites are urged to upgrade to Roller 5.0.2 as soon as possible. Download Apache Roller 5.0.2 at the Roller downloads page here.

You can find a little more information about the vulnerabilities at the links below:

• The official release announcement: Apache Roller 5.0.2 available & upgrade recommended for all Roller sites
• CVE-2013-4171 Apache Roller RSS/Atom Feed templates contain XSS vulnerabilities
• CVE-2013-4212 Apache Roller contains remote code execution vulnerabilities
• This blog entry from Coverity explains the remote execution issue in more detail: Remote Code Execution in Apache Roller via OGNL Injection

Here's a wonderfully detailed and informative (even if you don't intend to use Roller) blog post from Roller committer Glen Mazza about how to install Roller on Red Hat's Open Shift platform as a service (PAAS) offering: Apache Roller on OpenShift

The Apache Roller project has announced the availability of a new Apache Roller 5.0.1 release. This new release is identical to Apache Roller 5.0 but with the addition of two security fixes: 1) fix for Cross-Site Scripting (XSS) vulnerabilities and 2) fix for Cross-Site Resource Forgery (XRSF) vulnerabilities.

All Roller sites are urged to upgrade to Roller 5.0.1 as soon as possible. Download Apache Roller 5.0.1 at the Roller downloads page here

The two security vulnerabilities have been reported to the [Full Disclosure mailing-list at grok.org.uk|http://www.grok.org.uk/full-disclosure/] and the [Bugtraq list at SecurityFocus.com|http://www.securityfocus.com/archive/1]. You can find a little more information about the vulnerabilities at the links below:

• CVE-2012-2380: Roller Cross-Site-Resource-Forgery (XSRF) vulnerability
• CVE-2012-2381: Roller Cross-Site-Scripting (XSS) vulnerability

Here's some more happy Roller news. Apache Roller 5.0 has been released!

The major new feature in Roller 5.0 is Media Blogging, a set of enhancements to Roller's file upload and management capabilities. Also included in 5.0 are simple multi-site support, ~OpenID and ~OAuth support for Roller's ~AtomPub interface. All major dependencies have been updated and Roller now uses Maven for build and dependency management. You can find a summary of Roller 5.0's new features on the Roller wiki.

The road to Roller 5.0 has been a long one and if you are interested the history, you might want to check Dave Johnson's What's New in Roller 5.0 presentation from ApacheCon US 2009. Roller 5.0 includes contributions from contributors from Google Summer of Code, San Jose State Univ. and the usual cast of Roller committers. Thanks to all who contributed to Roller 5.0 over the years.

To download Apache Roller 5.0 and documentation, visit the Apache Roller download page at the Apache Software Foundation's website.

Here's some happy news. A new committer has joined the Roller project. Shelan Perera has been helping out on the mailing lists, submitting fixes and recently won a Google Summer of Code (GSOC) project to add mobile blogging features to Roller. He was nominated for committership and voted in on May 5, 2011.

Shelan's GSOC project is to add mobile theming capabilities to Roller. You can find the Mobile Theming for Roller proposal on the GSOC website. Shelan is seeking feedback on requirements and design for the project, and keeping the community in the loop by running a blog to journal his progress: Apache Roller Mobile Platform.

Welcome Shelan!

If you’re a Roller user, developer, tester or technical writer then the Apache Roller project needs your help. This blog entry explains why Roller needs your help and how you can help. [Read More]